Internet Protocol (IP) address spoofing is partly allowed in IP addresses, sub-network segments, and autonomous systems. Therefore, the Internet is vulnerable to IP address spoofing, and frequent IP address spoofing is a peril. Some examples are provided below:
(a) From the capability of faking the source address, network attacks are derived, for example, a response attack and a man-in-the-middle attack.
(b) The fake source address may implement other forms of attacks, for example, Distributed Denial of Service (DDOS) attacks, which are hardly detectable.
(c) With the fake source address being allowed to access the network, it is impossible to know the source of an IP packet through the source address.
In the prior art, Unicast Reverse Path Forwarding (URPF) is a good solution to tackling IP address spoofing. The URPF sets the following packet forwarding mechanism: When receiving a packet, the router checks the routing table to determine whether the route for returning the packet to the source IP address passes through the interface that receives the packet; if so, and the router forwards the packet, or if not, the router discards the packet.
In the process of implementing the present invention, the inventor finds at least the following problems in the prior art:
The URPF for blocking the attacks of the fake source IP address at the network border does not work for the current DDoS because the basic principle of the URPF is: The router judges the source address of the egress traffic, and blocks the egress traffic if the source address of the egress traffic is not an internal subnet address. However, an attacker may fake the IP address in the subnet of the attacker to launch DDoS attacks to override the URPF protection policy. Therefore, the prior art is unable to block the packet that carries a fake source address.